Adobe Primetime DRM SDK
Adobe Primetime DRM Server for Protected Streaming
Adobe Flash Player
Adobe AIR
Native iOS and Android Applications
Deploy Adobe Primetime DRM
Additional Deployment Scenarios
UltraViolet media and Adobe Primetime DRM
Adobe Primetime authentication and Adobe Primetime DRM
Install Tomcat
Set up and deploy the server for Protected Streaming
Package encrypted content
Install Flash Player and playback test content
Play back a locally packaged video
Next Steps
Adobe Primetime Cloud DRM Quick-Start Guide
What is included with Primetime Cloud DRM
What is NOT supported by Primetime Cloud DRM
Prerequisites
Packaging options
Use the included Primetime Offline Packager
Use a third-party encoder
Use Adobe Media Server
Test the packaged content
Triaging errors
Custom authentication/entitlement
Custom authentication/entitlement (Optional)
BEES Overview
BEES Workflow
BEES Error codes
Build the BEES reference implementation
Deploy the BEES reference implementation
Configure SSL on your BEES server
Adobe Primetime authentication (Optional)
Creating custom DRM policies (Optional)
Update existing DRM content to use Cloud DRM (Optional)
Streaming to Xbox360 (Optional)
Using the Adobe Primetime DRM Key Server
Requirements for using Primetime DRM Key Server
Deploy the Primetime DRM Key Server
Packaging content
Adobe Primetime DRM Secure Deployment Guidelines
Introduction to Network Topology
Overview
Network layer security
Firewall rules
Adobe Primetime DRM network protocols
Ports for application servers
Configuring SSL
Vendor-specific security information
Physical security and access
Packaging and protecting content
Ensuring compatibility with Flash Media Rights Management Server 1.x
Issue and protect the License Server
Protecting the License Server
Pre-generating licenses
Managing Domains
Multi-DRM Workflow for FairPlay
Multi-DRM Workflow for Widevine and PlayReady
Package your content with Bento4
Package your content with Adobe Offline Packager
Using Output Protection Policies
Client Key Request workflow overview
Expressplay tokens
Key request workflow on Android PSDK
Key request workflow on HTML5 TVSDK
Device Binding
Generic Workflows
Primetime Packager / Cloud DRM / TVSDK
ExpressPlay Packager / Cloud DRM / TVSDK
Feature Topics
Reference Server: Sample ExpressPlay Entitlement Server (SEES)
Reference Service: Time-based Entitlement
Reference Service: Device-Binding Entitlement
SEES Public API
ExpressPlay license token request / response reference
Overview
FairPlay license token request / response
PlayReady license token request / response
Widevine license token request / response
Migrating from Access to Multi-DRM
Glossary
Adobe Primetime DRM On Premises Individualization Server Guide
Software Requirements
Server configuration properties
Apply properties to server environments
Encrypt Passwords
Server Properties Reference
Create Individualization CA CRL
Configure the Path and Classpath
Configure Tomcat
Deploy the WAR files
Firewall Rules
About CRL Files
About ECI Files
Monitoring
Update the License Server WAR File
Generate the On Premises DRM Metadata
Client Integration
Sample Client Requests
Primetime DRM Server for Protected Streaming 5.3.1
About Adobe Primetime DRM Server for Protected Streaming
About usage rules
Requirements
Understanding Deployment
Deploying the Adobe Primetime DRM Server for Protected Streaming
Java system properties
About Adobe Primetime DRM credentials
HSM configuration
Setting up the License server configuration files
License server configuration files
Configuration Directory Structure
Global configuration file
Tenant configuration file
Crossdomain DRM policy file
Custom authorization extensions
Performance tuning
Upgrading the Adobe Primetime DRM Server for Protected Streaming
Running the DRM Server for Protected Streaming
Packaging content
DRM Server for Protected Streaming utilities
Configuration validator
Password scrambler
SWF hash calculator
Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
What is new in Adobe Primetime DRM
Usage rules and Authentication
Usage rules and Authentication
Time-based rules
Requirements for Synchronization
Runtime and application restrictions
Allow list for Primetime DRM applications allowed to play protected content…
Allow list for Adobe® Flash® Player SWFs
Block list of DRM Clients restricted from accessing protected content
Block list of application runtimes
Minimum security level for DRM and runtimes
Device capabilities required to play protected content
Jailbreak enforcement (requires Adobe Primetime DRM)
Other DRM policy options
Custom usage rules
Enhanced license chaining
Multiple play rights
Remote and local iOS key delivery
Device Group Domain Registration
Output protection controls
Packaging Options
Key Rotation
Out-of-band licenses
Encrypting tracks
Encrypting script data
Partial encryption level
Initial portion of content in the clear
Custom metadata
Multiple DRM policies
Setting up the SDK
Set up your development environment
Adobe Primetime DRM credentials
Requesting certificates
Storing credentials
Work with DRM policies
Overview
Creating a DRM policy with the Java API
Updating a DRM policy with the Java API
DRM policy criticality
Working with DRM Policy Update Lists
Package media files
Overview
Packaging Options
Encrypting content
Examining encrypted file content
Pre-generating and embedding licenses
Pre-generating licenses
Embedding licenses
Implement a License Server
Overview
License Server deployment options
Process Adobe Primetime DRM requests
Handle Get Server Version requests
Handle Domain Registration requests
Handle Domain De-Registration requests
Handle License Return requests
Handle authentication requests
Handle license requests
Overview
License request error handling
Generating licenses
Issuing domain-bound licenses
Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
Minimum client version
License preview
Identity-based licenses
Updating DRM policies
License chaining
Enhanced License Chaining
Handle synchronization requests
Handle FMRMS compatibility
Handling certificate updates when Adobe-issued certificates expire
Performance tuning
Revoke client credentials
Overview
Revoking DRM client and runtime credentials
Revoking machine credentials
Create video players
Resolution-Based Output Protection 5.3.1
RBOP Overview
RBOP Concepts
RBOP Client Support
Sample RBOP Configuration
RBOP Grammar
RBOP FAQ
Adobe Primetime DRM Reference Implementations 5.3.1
About the reference implementations
Typical workflow
Command-line tools
Overview
Command-line tools requirements
Install the command-line tools
Configure and run the command-line tools
Overview
About command-line tools configuration files
DRM Policy Manager
Policy Manager Command-line usage
Configuration properties
Non-SWF Application Allow listing
SWF Application Allow listing
DRM Media Packager
DRM Policy Update List Manager
DRM Revocation List Manager
DRM License Generator
DRM License Embedder
AIR Publisher ID utility
License server
Configuration
License server properties file
Prepare passwords for the Server properties files
Prepare passwords using Ant
Prepare passwords using Java
Remote key delivery properties (iOS)
Set up the license server database
Configure the license server database
HSM configuration
Cross-domain policy file
Deploy the license server
Troubleshooting
Check whether the license server started properly
Determining if Reference Implementation License Server runs properly
Implementing the usage models
Implementing the usage models overview
Enable the usage model demo
Configure usage model demo mode
Update the reference implementation DB
Usage model demo business rules
Domain registration
Overview
Implement identity-based domain registration
Identity-based domain registration logic
Implement anonymous domain registration
Anonymous domain logic
Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
Upgrade existing deployments
Upgrade existing deployments overview
Set up a domain server
TVSDK-DRM client-side workflow overview
Primetime DRM content protection options
Primetime DRM on the client
Primetime DRM license server
License acquisition process overview
License acquisition process details
Pre-loading licenses for offline playback
Using the DRMStatusEvent class
Using the DRMAuthenticateEvent class
Create a DRMAuthenticateEvent handler
Create an authentication UI
Using the DRMErrorEvent class
Using the DRMManager class
Using the DRMContentData class
Out-of-band licenses
Device domain support
License preview
Delivering content
DRM Client Error Message Reference
Using Adobe Access DRM With an External Key Management System
Adobe Access DRM External CEK Overview
Standard AAXS DRM Workflow
AAXS DRM External CEK Workflow
Using External CEK to Vend and Package Licenses
Use the Adobe Access Server for Protected Streaming
About Adobe Access Server for Protected Streaming
Usage rules
Requirements
Deploying the Adobe Access Server for Protected Streaming
Deploying the Adobe Access Server for Protected Streaming overview
Java system properties
Adobe Access credentials
HSM configuration
License server configuration files
Configuration Directory Structure
Global configuration file
Tenant configuration file
Crossdomain policy file
Custom authorization extensions
Performance tuning
Global Configuration File
Upgrading the Adobe Access Server for Protected Streaming
Running the Adobe Access Server for Protected Streaming
Log files
Log directory structure
Global Log File
Partition Log File
Tenant Log File
Updating configuration files
Updating configuration files overview
Updating the Global Configuration File
Updating the Tenant Configuration File
Packaging content
Adobe Access Server for Protected Streaming utilities
Configuration Validator
Password Scrambler
SWF Hash Calculator
Vendor-specific security information
Physical security and access
Packaging and protecting content
Securing the server
Securely packaging content
Securely storing policies
Asymmetric key encryption
Ensuring compatibility with Flash Media Rights Management Server 1.x
Protect and issue licenses
Consuming locally generated CRLs
Consuming CRLs published by Adobe
Generating CRLs to supplement those published by Adobe
Rollback detection
Machine count when issuing licenses
Replay protection
Maintain an allow list of trusted content packagers
Timeout for authentication tokens
Overriding policy options
Pre-generating licenses
Managing Domains
Runtime and application restrictions
Allow list for Adobe® Primetime applications allowed to play protected content
Allow list for Adobe® Flash® Player SWFs allowed to play protected content
Block list of DRM Clients restricted from accessing protected content
Block list of application runtimes restricted from accessing protected content
Minimum security level for DRM and runtimes
Device capabilities required to play protected content
Jailbreak Enforcement (requires Adobe Primetime)
Other policy options
Enhanced license chaining
Multiple play rights
Remote and Local iOS Key Delivery
Device Group Domain Registration
Output protection controls
Packaging Options
Key Rotation
Out-of-band Licenses
Encrypting tracks
Encrypting script data
Partial encryption level
Initial portion of content in the clear
Custom metadata
Multiple policies
Setting up the SDK
Setting up the development environment
Adobe Access credentials
Requesting certificates
Storing credentials
Working with policies
Working with policies
Creating a policy using the Java API
Updating a policy using the Java API
Policy criticality
Policy update lists
Working with Policy Update Lists
Packaging media files
Packaging media files
Encrypting content
Examining encrypted file content
Pre-generating and embedding licenses
Pre-generating and embedding licenses
Pre-generating licenses
Embedding licenses
Implementing the License Server
Implementing the License Server
License Server deployment options
Processing Adobe Access requests
Processing Adobe Access requests
Using machine identifiers
User authentication
Replay protection
Rollback detection
Global server configuration data
Crossdomain policy file
Handling Get Server Version requests
Handling Domain Registration requests
Handling Domain De-Registration requests
Handling License Return requests
Handling authentication requests
Handling license requests
Handling license requests
Generating licenses
License chaining
Enhanced License Chaining
Issuing Domain-bound licenses
Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
Minimum Client Version
License preview
Identity-based licenses
ID-based licenses overview
Updating policies
Handling synchronization requests
Handling FMRMS compatibility
Overview
Upgrading clients
Upgrading metadata
Handling certificate updates when your Adobe-issued certifcates expire
Performance tuning
Generating random numbers
Revoking client credentials
Revoking DRM client and runtime credentials
Revoking machine credentials
Creating video players
Adobe Access Reference Implementations
Overview - Using the reference implementations
Command line tools for packaging content and creating revocations lists
Policy Manager
Using Policy Manager
Configuration file properties
Command line usage
Media Packager
Using Media Packager
Configuration file properties
Command line usage
Policy Update List Manager
Policy Update List Manager overview
Configuration file properties
Command line usage
Revocation List Manager
Revocation List Manager overview
Configuration file properties
Command line usage
AIR Publisher ID utility
AIR Publisher ID utility overview
Command line usage
License Generator
License Generator overview
Configuration File Properties
Command line usage
License Embedder
License Embedder overview
Command line usage
License server and watched folder packager
License server and watched folder packager overview
Requirements
Building the license server
Configuration
Server properties files
Preparing passwords for the Server properties files
License server properties file
Packager properties file
Watched folder properties
Setting up the database and configuring the JNDI datasource
HSM configuration
Crossdomain policy file
Deploying the license server and watched folder packager
Deploying the license server and watched folder packager overview
Troubleshooting
Determining if Reference Implementation License Server is running properly
Implementing the usage models
Implementing the usage models overview
Download-To-Own
Rental/Video-On-Demand
Subscription
Ad-funded
Implementing domain registration
Implementing domain registration overview
Identity-based domains
Anonymous Domains
Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
Upgrading existing deployments
Set up a domain server
Flash Access Manager AIR application usage
Flash Access Manager components
Building the Packager Server and AIR Application
Building the Packager Server
Building the Flash Access Manager AIR Application
Initial Flash Access Manager setup
Setting preferences
Setting preferences overview
Packager Preferences
Policy Update List Preferences
HSM Preferences
Policy creation
Create a new policy
Basic Policy Options
Play Rights
Custom Data
Update an existing policy
Policy update list
Package media
Watched Folders
SEES Public API
The entitlement request and response are passed via a mutually authenticated SSL connection between the license server and the customer’s entitlement service.
The HTTPS URI scheme (
https://tools.ietf.org/html/rfc7230#section-2.7.2
) is used to define the entitlement endpoint, and the HTTP POST request method (
https://tools.ietf.org/html/rfc7231#section-4.3.3
) is used for the request. The entitlement endpoint, as well as a flag indicating back-end entitlement, is required and must be included in the policy at packaging time.
Entitlement Request
The body of the entitlement request will be a JSON object defined as shown below.
JSON entitlement request object definition
"title" : "Entitlement Request",
"type" : "object",
"properties" : {
"messageID" : {
"type" : "string",
"description" : "Unique ID for this message (GUID). Used to confirm that the subsequent response is actually for this request."
"version" : {
"type" : "integer",
"description" : "Version number of the protocol, currently 1."
"requestType" : {
"type" : "integer",
"description" : "Request type. 1 - time based entitlement request, 2 - device registration entitlement request 3 - device bound entitlement request."
"contentID" : {
"type" : "string",
"description" : "Content ID (GUID) that was given to the content during packaging time."
"customerCookie" : {
"type" : "string",
"description" : "Customer cookie. Cookie is just arbitrary string up to 32 characters long."
"required" : ["messageID", "version", "contentID"]
Entitlement Response
The body of the entitlement response is a JSON object.
JSON entitlement response object definition
"title" : "Entitlement Response",
"type" : "object",
"properties" : {
"messageID" : {
"type" : "string",
"description" : "Unique ID from the Entitlement Request message.
Must match, or entitlement will be denied."
"version" : {
"type" : "integer",
"description" : "Version number of the protocol; must be <= the version number
from the Entitlement Request message."
"isAllowed" : {
"type" : "boolean",
"description" : "Grant the license or not."
"epTokenURL" : {
"type" : "string",
"description" : "ExpressPlay Token URL"
"error" : {
"type" : "integer",
"description" : "An error number produced by the entitlement server.
Will be passed to the client as the 'code' field of the server error response."
"errorText" : {
"type" : "string",
"description" : "Additional error information produced by the entitlement server.
Will be passed to the client as the 'text' field of the server error response."
"required" : ["messageID", "version", "isAllowed", "epTokenURL"]
